MODEL CHECKING CONCURRENT AND REAL-TIME SYSTEMS: THE PAT APPROACH LIU YANG (B.Sc. (Hons.), NUS) A THESIS SUBMITTED FOR THE DEGREE OF DOCTOR OF PHILOSOPHY DEPARTMENT OF COMPUTER SCIENCE NATIONAL UNIVERSITY OF SINGAPORE 2009 Acknowledgement First and foremost, I am deeply indebted to my supervisors, Dr. Dong Jin Song and Dr. Rudy Setiono, for their guidance, advice and encouragement throughout the course of my doctoral program. They have given me immense support both in various ways, and have also helped me stay on the track of doing research. I am deeply grateful to Dr. Sun Jun, who acts like both a friend and co-supervisor in my graduate study. I thank him for introducing me to the exciting area of model checking. His supervision and crucial contribution made him a backbone of this research. His involvement with his originality has triggered and nourished my intellectual maturity that I will benefit from, for a long time to come. I am grateful to Dr. Joxan Jaffar, Dr. Chin Wei Ngan and Dr. P. S. Thiagarajan for their valuable suggestions and comments on my research works. I have special thanks to Dr. Chen Wei, Dr. Liu Yanhong, Dr. Abhik Roychoudhury, Dr. Pang Jun, etc for their research collaborations. To my seniors, Dr. Li Yuanfang, Dr. Chen Chunqing, Dr. Sun Jing, Dr. Wang H. Hai and Dr. Qin Shengchao, Feng Yuzhang, and fellow student Zhang Xian - Thank you for your support and friendships through my Ph.D. study. This study was in part funded by the project “Rigorous Design Methods and Tools for Intelligent Autonomous Multi-Agent Systems” and “Advanced Modeling Checking Systems” supported by Ministry of Education of Singapore and the project “Reliable Software Design and Development for Sensor Network Systems” supported by National University of Singapore Academic Research Fund and the project “Systematic Design Methods and Tools for Developing Location Aware, Mobile and Pervasive Computing Systems” supported by Singapore National Research Foundation-Interactive Digital Media. The School of Computing also provided the finance for me to present papers in several conferences overseas. In addition, I have been encouraged by receiving Microsoft Asia Research Fellowship 2007 and Research Achievement Award 2009. For all this, I am very grateful. Lastly, I wish to thank sincerely and deeply my parents Liu Maolin and Zhou Xiuling, who have taken care of me with great love in these years. I thank my wife Tan Chen, for all the love. Contents Introduction 1.1 Motivation and Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2 Summary of Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3 Thesis Outline and Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 1.4 Publications from the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Background 13 2.1 Basics of Model Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.2 System Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.3 Specification and Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.3.1 Safety Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.3.2 Liveness Properties and Linear Temporal Logics . . . . . . . . . . . . . . 17 2.3.3 Partial Order Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Model Checking Real-time Systems . . . . . . . . . . . . . . . . . . . . . . . . . 20 2.4.1 21 2.4 Discrete-time Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . i 2.4.2 CONTENTS ii Dense-time Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 System Modeling 3.1 3.2 3.3 23 Concurrent System Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 3.1.1 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 3.1.2 Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 3.1.3 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 3.1.4 Case Study: a Multi-lift System . . . . . . . . . . . . . . . . . . . . . . . 38 Real-time System Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 3.2.1 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 3.2.2 Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 3.2.3 Case Study: Fischer’s Algorithm . . . . . . . . . . . . . . . . . . . . . . . 43 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Model Checking Fairness Enhanced Systems 45 4.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 4.2 Fairness Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 4.3 Model Checking under Fairness as Loop/SCC Searching . . . . . . . . . . . . . . 53 4.4 An Algorithm for Modeling Checking under Fairness . . . . . . . . . . . . . . . . 57 4.4.1 Coping with Different Notions of Fairness . . . . . . . . . . . . . . . . . . 59 4.4.2 Complexity and Soundness . . . . . . . . . . . . . . . . . . . . . . . . . . 61 CONTENTS iii 4.5 Event Annotated Fairness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 4.6 A Multi-Core Model Checking Algorithm . . . . . . . . . . . . . . . . . . . . . . 66 4.6.1 Shared-Memory Platform . . . . . . . . . . . . . . . . . . . . . . . . . . 66 4.6.2 Parallel Fairness Model Checking Algorithm . . . . . . . . . . . . . . . . 67 4.6.3 Complexity and Soundness . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 4.7.1 Experiments for Sequential Fairness Verification . . . . . . . . . . . . . . 73 4.7.2 Experiments for Multi-core Fairness Verification . . . . . . . . . . . . . . 77 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 4.7 4.8 Applications of Fairness Model Checking 83 5.1 The Population Protocol Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 5.2 Population Ring Protocol Examples . . . . . . . . . . . . . . . . . . . . . . . . . 86 5.2.1 Two hop coloring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 5.2.2 Orienting undirected rings . . . . . . . . . . . . . . . . . . . . . . . . . . 89 5.2.3 Leader election . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 5.2.4 Token circulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 5.3 Experiments of Population Protocols . . . . . . . . . . . . . . . . . . . . . . . . . 93 5.4 Process Counter Abstraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 5.4.1 System Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 5.4.2 Process Counter Representation . . . . . . . . . . . . . . . . . . . . . . . 99 CONTENTS iv 5.5 Fair Model Checking Algorithm with Counter Abstraction . . . . . . . . . . . . . 101 5.6 Counter Abstraction for Infinitely Many Processes . . . . . . . . . . . . . . . . . . 107 5.7 Experiments of Process Counter Abstraction . . . . . . . . . . . . . . . . . . . . . 109 5.8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Refinement Checking 113 6.1 FDR and Refinement Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 6.2 An Algorithm for Refinement Checking . . . . . . . . . . . . . . . . . . . . . . . 117 6.2.1 On-the-fly Refinement Checking Algorithm . . . . . . . . . . . . . . . . . 117 6.2.2 Partial Order Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 6.3 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 6.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Applications of Refinement Checking 7.1 Linearizability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 7.1.1 7.2 129 Formal Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Linearizability as Refinement Relations . . . . . . . . . . . . . . . . . . . . . . . 134 7.2.1 Model Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 7.2.2 Verification of Linearizability . . . . . . . . . . . . . . . . . . . . . . . . 138 7.3 Experiments of Linearizability Checking . . . . . . . . . . . . . . . . . . . . . . . 139 7.4 Web Service and Conformance Checking . . . . . . . . . . . . . . . . . . . . . . 141 CONTENTS 7.5 v Web Service Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 7.5.1 Choreography: Syntax and Semantics . . . . . . . . . . . . . . . . . . . . 142 7.5.2 Orchestration: Syntax and Semantics . . . . . . . . . . . . . . . . . . . . 145 7.6 Web Service Conformance Verification . . . . . . . . . . . . . . . . . . . . . . . . 149 7.7 Experiments of Conformance Checking . . . . . . . . . . . . . . . . . . . . . . . 151 7.8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Bounded Model Checking of Compositional Processes 155 8.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 8.2 Encoding of Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 8.2.1 Encoding Simple Processes . . . . . . . . . . . . . . . . . . . . . . . . . 157 8.2.2 Composing Encodings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 8.3 LTL Properties Encoding and Verification . . . . . . . . . . . . . . . . . . . . . . 164 8.4 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 8.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 Verification of Real-time Systems 9.1 169 Zone Abstraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 9.1.1 Clock Activation and De-activation . . . . . . . . . . . . . . . . . . . . . 170 9.1.2 Zone Abstraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 9.1.3 Zone Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 CONTENTS 9.2 vi Verification of Real-time Systems . . . . . . . . . . . . . . . . . . . . . . . . . . 178 9.2.1 LTL-X Model Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 9.2.2 Refinement Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 9.2.3 Timed Refinement Checking . . . . . . . . . . . . . . . . . . . . . . . . . 183 9.3 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 9.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 10 Tool Implementation: Process Analysis Toolkit 195 10.1 Overview of PAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 10.2 System Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 10.3 PAT Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 10.3.1 CSP Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 10.3.2 Real-time System Module . . . . . . . . . . . . . . . . . . . . . . . . . . 202 10.3.3 Web Service Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 10.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 11 Conclusion 207 11.1 Summary of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 11.2 On-going and Future Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 11.2.1 Tool Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 11.2.2 Model Checking Techniques . . . . . . . . . . . . . . . . . . . . . . . . . 211 11.2.3 Module Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 CONTENTS vii A Operational Semantics of CSP# 233 B CSP# Models of Population Protocols 235 C Operational Semantics of Abstract Real-Time System 237 D PAT History 239 Summary The design and verification of concurrent and real-time systems are notoriously difficult problems. Among the software validation techniques, model checking approach has been proved to be successful as an automatic and effective solution. In this thesis, we study the verification of concurrent and real-time systems using model checking approach. First, we design an integrated formal language for concurrent and real-time modeling, which combines high-level specification languages with mutable data variables and low-level procedural codes for the purpose of efficient system analysis, in particular, model checking. Timing requirements are captured using behavior patterns like deadline, time out, etc. A formal semantic model is defined for this language. Based on this modeling language, we investigate LTL verification problem with focus of fairness assumptions, and refinement checking problem with following results. 1. We propose a unified on-the-fly model checking algorithm to handle a variety of fairness assumptions, which is further tuned to support parallel verification in multi-core architecture with shared memory. We apply the proposed algorithm on a set of self-stabilizing population protocols, which only work under global fairness. One previously unknown bug is discovered in a leader election protocol. Population protocols are designed for networks with large or even unbounded number of nodes, which gives the space explosion problem. To solve this problem, we develop a process counter abstraction technique to handle parameterized systems under fairness. We show that model checking under fairness is feasible, even without the knowledge of process identifiers. 2. Based on the ideas in FDR, we present an on-the-fly model checking algorithm for refinement checking, incorporated with advanced model checking techniques. This algorithm is successfully applied in automatic linearizability verification and conformance checking between Web Services. Symbolic model checking is capable of handling large state space. We present an alternative solution BIBLIOGRAPHY 226 [158] M. Musuvathi and S. Qadeer. Fair Stateless Model Checking. In Proceedings of the ACM SIGPLAN 2008 Conference on Programming Language Design and Implementation (PLDI 2008), pages 362– 371. ACM, 2008. [159] X. Nicollin and J. Sifakis. The Algebra of Timed Processes, ATP: Theory and Application. Information and Computation, 114(1):131–178, 1994. [160] J. Ouaknine and J. Worrell. On the Language Inclusion Problem for Timed Automata: Closing a Decidability Gap. In Proceedings of the 19th IEEE Symposium on Logic in Computer Science (LICS 2004), pages 54–63, 2004. [161] J. Pang, Z. Q. Luo, and Y. X. Deng. On Automatic Verification of Self-stabilizing Population Protocols. In Proceedings of the 2nd IEEE International Symposium on Theoretical Aspects of Software Engineering (TASE 2008), pages 185–192. IEEE, 2008. [162] A. Parashkevov and J. Yantchev. ARC - a Tool for Efficient Refinement and Equivalence Checking for CSP. In Proceedings of the IEEE International Conference on Algorithms and Architectures for Parallel Processing (ICA3PP 1996), pages 68–75, 1996. [163] D. Peled. All from One, One for All: on Model Checking Using Representatives. In Proceedings of the 5th International Conference on Computer Aided Verification (CAV 1993), volume 697 of LNCS, pages 409–423, 1993. [164] D. Peled. Combining Partial Order Reductions with On-the-fly Model-Checking. In Proceedings of the 6th International Conference on Computer Aided Verification (CAV 1994), pages 377–390, 1994. [165] C. A. Petri. Fundamentals of a Theory of Asynchronous Information Flow. In Proceedings of IFIP Congress, pages 386–390, 1963. [166] A. Pnueli and Y. Sa’ar. All You Need Is Compassion. In Proceedings of the 9th International Conference on Verification, Model Checking and Abstract Interpretation (VMCAI 2008), volume 4905 of LNCS, pages 233–247, 2008. [167] A. Pnueli, J. Xu, and L. Zuck. Liveness with (0, 1, infty)-Counter Abstraction. In Proceedings of the 14th International Conference on Computer Aided Verification (CAV 2002), volume 2204 of LNCS, pages 107–122, 2002. [168] F. Pong and M. Dubois. A New Approach for the Verification of Cache Coherence Protocols. IEEE Transactions on Parallel and Distributed Systems, 6(8):773–787, 1995. BIBLIOGRAPHY 227 [169] G. Pu, J. Shi, Z. Wang, L. Jin, J. Liu, and J. He. The Validation and Verification of WSCDL. In Proceedings of the 14th Asia-Pacific Software Engineering Conference (APSEC 2007), pages 81–88. IEEE Computer Society, 2007. [170] A. Puhakka and A. Valmari. Liveness and Fairness in Process-Algebraic Verification. In Proceedings of the 12th International Conference on Concurrency Theory (CONCUR 2001), pages 202–217, 2001. [171] S. C. Qin, J. S. Dong, and W.-N. Chin. A Semantic Foundation for TCOZ in Unifying Theories of Programming. In Proceedings of International Symposium of Formal Methods Europe (FME 2003), pages 321–340, 2003. [172] Z. Y. Qiu, X. P. Zhao, C. Cai, and H. L. Yang. Towards the theoretical foundation of choreography. In Proceedings of the 16th International World Wide Web Conference (WWW 2007), pages 973–982, 2007. [173] J.-P. Queille and J. Sifakis. Fairness and Related Properties in Transition Systems - A Temporal Logic to Deal with Fairness. Acta Informaticae, 19:195–220, 1983. [174] G. M. Reed and A. W. Roscoe. A Timed Model for Communicating Sequential Processes. In Proceedings of the 13th Colloquium on Automata, Languages and Programming (ICALP 1986), volume 226 of LNCS, pages 314–323. Springer, 1986. [175] A. W. Roscoe. Model-checking CSP. A classical mind: essays in honour of C. A. R. Hoare, pages 353–378, 1994. [176] A. W. Roscoe. The Theory and Practice of Concurrency. Prentice-Hall, 1997. [177] A. W. Roscoe. Compiling Shared Variable Programs into CSP. In Proceedings of PROGRESS workshop 2001, 2001. [178] A. W. Roscoe. On the Expressive Power of CSP Refinement. Formal Aspects of Computing, 17(2):93– 112, 2005. [179] A. W. Roscoe, P. H. B. Gardiner, M. Goldsmith, J. R. Hulance, D. M. Jackson, and J. B. Scattergood. Hierarchical Compression for Model-Checking CSP or How to Check 1020 Dining Philosophers for Deadlock. In Proceedings of the 1st International Conference of Tools and Algorithms for Construction and Analysis of Systems (TACAS 1995), pages 133–152, 1995. [180] P. Y. A. Ryan and S. A. Schneider. An Attack on a Recursive Authentication Protocol. A Cautionary Tale. Information Processing Letters, 65(1):7–10, 1998. BIBLIOGRAPHY 228 [181] S. Schneider. An Operational Semantics for Timed CSP. Information and Computation, 116(2):193– 213, 1995. [182] S. Schneider. Concurrent and Real-time Systems: the CSP Approach. John Wiley and Sons, 2000. [183] S. Schneider, J. Davies, D. M. Jackson, G. M. Reed, J. N. Reed, and A. W. Roscoe. Timed CSP: Theory and Practice. In Proceedings of the Real-Time: Theory in Practice, REX Workshop, pages 640–675, London, UK, 1992. Springer-Verlag. [184] S. Schneider and H. Treharne. Communicating B Machines. In Proceedings of the 2nd International Conference of B and Z Users (ZB 2002), pages 416–435. Springer, 2002. [185] S. A. Schneider and R. Delicata. Verifying Security Protocols: An Application of CSP. In 25 Years Communicating Sequential Processes, pages 243–263, 2004. [186] C. H. Shann, T. L. Huang, and C. Chen. A Practical Nonblocking Queue Algorithm Using Compareand-Swap. In Proceedings of the 7th International Conference on Parallel and Distributed Systems (ICPADS 2000), pages 470–475. IEEE, 2000. [187] J. Sifakis. The Compositional Specification of Timed Systems - A Tutorial. In Proceedings of the 11th International Conference on Computer Aided Verification (CAV 1999), volume 1633 of LNCS, pages 2–7. Springer, 1999. [188] A. P. Sistla and E. Clarke. The Complexity of Propositional Temporal Logics. The Journal of ACM, 32:733–749, 1986. [189] G. Smith. The Object-Z Specification Language. Kluwer Academic Publishers, 2000. [190] G. Smith and J. Derrick. Specification, Refinement and Verification of Concurrent Systems - an integration of Object-Z and CSP. Formal Methods in Systems Design, 18:249–284, May 2001. [191] O. Strichman. Accelerating Bounded Model Checking of Safety Properties. Formal Methods in System Design, 24(1):5–24, 2004. [192] J. Sun and J. S. Dong. Design Synthesis from Interaction and State-Based Specifications. IEEE Transactions on Software Engineering, 32(6):349–364, 2006. [193] J. Sun, Y. Liu, and J. S. Dong. Model Checking CSP Revisited: Introducing a Process Analysis Toolkit. In Proceedings of the 3rd International Symposium on Leveraging Applications of Formal Methods, Verification and Validation (ISoLA 2008), pages 307–322. Springer, 2008. BIBLIOGRAPHY 229 [194] J. Sun, Y. Liu, J. S. Dong, and C. Q. Chen. Integrating Specification and Programs for System Modeling and Verification. In Proceedings of the 3rd IEEE International Symposium on Theoretical Aspects of Software Engineering (TASE 2009), pages 127–135, 2009. [195] J. Sun, Y. Liu, J. S. Dong, and J. Pang. A Unified Framework for Model Checking under Fairness. Submitted for review. [196] J. Sun, Y. Liu, J. S. Dong, and J. Pang. ification under Fairness. Towards a Toolkit for Flexible and Efficient Ver- Technical Report TRB2/09, National Univ. of Singapore, Dec 2008. http://www.comp.nus.edu.sg/~pat/report.ps. [197] J. Sun, Y. Liu, J. S. Dong, and J. Pang. PAT: Towards Flexible Verification under Fairness. In Proceedings of the 21th International Conference on Computer Aided Verification (CAV 2009), pages 702–708, Grenoble, France, June 2009. [198] J. Sun, Y. Liu, J. S. Dong, and G. G. Pu. Model-based Methods for Linking Web Service Choreography and Orchestration. Submitted for review. [199] J. Sun, Y. Liu, J. S. Dong, and J. Sun. Bounded Model Checking of Compositional Processes. In Proceedings of the Second IEEE International Symposium on Theoretical Aspects of Software Engineering (TASE 2008), pages 23–30. IEEE Computer Society, 2008. [200] J. Sun, Y. Liu, J. S. Dong, and J. Sun. Compositional Encoding for Bounded Model Checking. Frontiers of Computer Science in China, 2(4):368–379, November 2008. [201] J. Sun, Y. Liu, J. S. Dong, F. Wang, L. A. Tuan, and M. Zheng. Verifying Safety Critical Compositional Real-time Systems by Refinement Checking. Submitted for review. [202] J. Sun, Y. Liu, J. S. Dong, and H. H. Wang. Specifying and Verifying Event-based Fairness Enhanced Systems. In Proceedings of the 10th International Conference on Formal Engineering Methods (ICFEM 2008), pages 318–337. Springer, Oct 2008. [203] J. Sun, Y. Liu, J. S. Dong, and H. H. Wang. Verifying Stateful Timed CSP using Implicit Clocks and Zone Abstraction. In Proceedings of the 11th International Conference on Formal Engineering Methods (ICFEM 2009), Dec 2009. Accepted. [204] J. Sun, Y. Liu, A. Roychoudhury, S. Liu, and J. S. Dong. Fair Model Checking of Parameterized Systems. In Proceedings of the 16th International Symposium on Formal Methods (FM 2009), 2009. Accepted. BIBLIOGRAPHY 230 [205] K. Taguchi and K. Araki. The State-Based CCS Semantics for Concurrent Z Specification. In ICFEM, pages 283–292, 1997. [206] R. Tarjan. Depth-first Search and Linear Graph Algorithms. SIAM Journal on Computing, 2:146–160, 1972. [207] S. Tasiran, R. Alur, R. P. Kurshan, and R. K. Brayton. Verifying Abstractions of Timed Systems. In Proceedings of the 7th International Conference on Concurrency Theory (CONCUR 1996), volume 1119 of LNCS, pages 546–562, 1996. [208] H. Tej and B. Wolff. A Corrected Failure-Divergence Model for CSP in Isabelle/HOL. In Proceedings of the 4th International Symposium on Formal Methods (FM 1997), 1997. [209] W. Thomas. Automata on Infinite Objects. Handbook of theoretical computer science (vol. B): formal models and semantics, pages 133–191, 1990. [210] R. K. Treiber. Systems Programming: Coping with Parallelism. Technical Report RJ 5118, IBM Almaden Research Center, 1986. [211] V. Vafeiadis. Shape-Value Abstraction for Verifying Linearizability. In Proceedings of the 10th International Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI 2009), pages 335–348. Springer, 2009. [212] V. Vafeiadis, M. Herlihy, T. Hoare, and M. Shapiro. Proving Correctness of Highly-concurrent Linearisable Objects. In Proceedings of the 11th ACM SIGPLAN Symposium on Principles and Practice of Parallel Programming (PPoPP 2006), pages 129–136. ACM, 2006. [213] A. Valmari. A Stubborn Attack On State Explosion. In Proceedings of the 2nd International Workshop on Computer Aided Verification (CAV 1990), pages 156–165, 1991. [214] A. Valmari. Stubborn Set Methods for Process Algebras. In Proceedings of the Workshop on Parital Order Methods in Verification (PMIV 1996), pages 213–231, 1996. [215] M. Vechev and E. Yahav. Deriving Linearizable Fine-grained Concurrent Objects. In Proceedings of the 2008 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2008), pages 125–135. ACM, 2008. [216] H. Völzer, D. Varacca, and E. Kindler. Defining Fairness. In Proceedings of the 16th International Conference on Concurrency Theory (CONCUR 2005), pages 458–472. Springer, 2005. BIBLIOGRAPHY 231 [217] F. Wang, R. Wu, and G. Huang. Verifying Timed and Linear Hybrid Rule-Systems with RED. In Proceedings of the 17st International Conference on Software Engineering & Knowledge Engineering (SEKE 2005), pages 448–454, 2005. [218] L. Wang and S. Stoller. Static Analysis of Atomicity for Programs with Non-blocking Synchronization. In Proceedings of the 10th ACM SIGPLAN Symposium on Principles and Practice of Parallel Programming (PPoPP 2005), pages 61–71. ACM, 2005. [219] H. Wehrheim. Partial Order Reductions for Failures Refinement. Electronic Notes in Theoretical Computer Science, 27, 1999. [220] J. Woodcock. Formal Specification of the Lift Problem. In M. Harandi, editor, Proceedings of the 4th IEEE International Workshop on Software Specification and Design (IWSSD 1987). IEEE Press, 1987. [221] J. Woodcock and A. Cavalcanti. The Semantics of Circus. In Proceedings of the 2nd International Conference of B and Z Users (ZB 2002), pages 184–203. Springer, 2002. [222] J. Woodcock and J. Davies. Using Z: Specification, Refinement, and Proof. Prentice-Hall International, 1996. [223] W. Yi. CCS + Time = An Interleaving Model for Real Time Systems. In Proceedings of the 18th Colloquium on Automata, Languages and Programming (ICALP 1991), volume 510 of LNCS, pages 217–228. Springer, 1991. [224] W. Yi, P. Pettersson, and M. Daniels. Automatic Verification of Real-time Communicating Systems by Constraint-Solving. In Proceedings of the 14th International Conference on Formal Techniques for Networked and Distributed Systems (FORTE 1994), pages 243–258. Chapman & Hall, 1994. [225] S. J. Zhang, Y. Liu, J. Sun, J. S. Dong, W. Chen, and Y. A. Liu. Formal Verification of Scalable NonZero Indicators. In Proceedings of the 21st International Conference on Software Engineering & Knowledge Engineering (SEKE 2009), pages 406–411, 2009. [226] W. Zhang. SAT-Based Verification of LTL Formulas. In Proceedings of the 11th International Workshop FMICS 2006, pages 277–292, 2006. BIBLIOGRAPHY 232 Appendix A Operational Semantics of CSP# The following are firing rules associated with process constructs other than those discussed in Section 3.1.2. Let e ∈ Σ, eτ ∈ Σ ∪ {τ }, x ∈ Σ ∪ { } and ∗ ∈ Σ ∪ {τ, e (V , P ) → (V ′ , P ′ ), e ∈ X τ (V , P \ X ) → (V ′ , P ′ ) x [ hide1 ] (V , P ) → (V ′ , P ′ ), x ∈ X x (V , P \ X ) → (V ′ , P ′ \ X ) e τ (V , P ) → (V ′ , P ′ ) e τ (V , P ; Q ) → (V ′ , P ′ ; Q ) x ¾ Q ) →x (V ′, P ′ ) ¾ Q ) →x (V ′ , Q ′) [ ch2 ] τ ¾ Q ) →x (V ′, P ′ ¾ Q ) [ ch3 ] (V , Q ) → (V ′ , Q ′ ) (V , P ¾ Q ) →τ (V ′, P ¾ Q ′) [ non1 ] (V , P ⊓ Q ) → (V , P ) (V , P ||| Q ) → (V ′ , P ′ ||| Q ) τ [ ch4 ] [ non2 ] (V , P ⊓ Q ) → (V , Q ) x (V , P ) → (V ′ , P ′ ) x (V , Q ) → (V ′ , Q ′ ) (V , P τ τ [ seq2 ] τ (V , P ; Q ) → (V ′ , Q ) [ ch1 ] (V , P ) → (V ′ , P ′ ) (V , P [ hide2 ] (V , P ) → (V ′ , P ′ ) [ seq1 ] x (V , P ) → (V ′ , P ′ ) (V , P }. x [ int1 ] (V , Q ) → (V ′ , Q ′ ) x (V , P ||| Q ) → (V ′ , P ||| Q ′ ) [ int2 ] 233 Appendix A. Operational Semantics of CSP# (V , P ) → (V ′ , P ′ ), (V , Q ) → (V ′ , Q ′ ) [ int3 ] (V , P ||| Q ) → (V ′ , P ′ ||| Q ′ ) ∗ (V , P ) → (V ′ , P ′ ) ∗ e [ inter ] (V , P △ Q ) → (V ′ , P ′ △ Q ) τ (V , Q ) → (V ′ , Q ′ ) τ (V , P △ Q ) → (V ′ , P △ Q ′ ) [ inter ] (V , Q ) → (V ′ , Q ′ ) e (V , P △ Q ) → (V ′ , Q ′ ) [ inter ] 234 Appendix B CSP# Models of Population Protocols 1. #define N 3; #define C 3; 2. var color [N ]; var precolor [N ]; var succolor [N ]; 3. Interaction(u, v ) = if (color [v ] == precolor [u] ∧ color [v ] = succolor [u]){ 4. act1.u.v {succolor [v ] = mycolor [u]} → Interaction(u, v ) 5. } else if (color [v ] == succolor [u] ∧ color [v ] = precolor [u]){ 6. act2.u.v {precolor [v ] = color [u]; } → Interaction(u, v ) 7. } else { 8. act3.u.v {precolor [u] = color [v ]; succolor [v ] = color [u]} 9. → Interaction(u, v ) 10. }; 11. Init() = . 12. OrientingUndirected() = Init(); ||| x : {0 N − 1}@(Interaction(x , (x + 1)%N ) 13. ||| Interaction((x + 1)%N , x )); 14. #define property1 (x : {0 N − 1}@precolor [x ] = succolor [x ])); 15. #define property2 ( .); property1; 16. #assert OrientingUndirected() 17. #assert OrientingUndirected() property2; ¿¾ ¿¾ Figure B.1: CSP# model for orienting undirected ring protocol 235 Appendix B. CSP# Models of Population Protocols 236 1. #define N 3; 2. var leader [N ]; var label[N ]; var probe[N ]; var phase[N ]; var bullet[N ]; 3. Interact(u, v ) = 4. [label[u] == label[v ] ∧ probe[u] == ∧ phase[u] == 0] 5. act1.u.v {leader [u] = 1; probe[u] = 0; bullet[v ] = 0; phase[u] = 1; 6. probe[v ] = 1;} → Interact(u, v ) 7. ¾ [label[u] == label[v ] ∧ probe[u] == ∧ phase[u] == ∧ probe[v ] == 0] 8. act2.u.v {leader [u] = 1; probe[u] = 0; bullet[v ] = 0; 9. label[v ] = − label[v ]; phase[v ] = 0;} → Interact(u, v ) 10. ¾ . 11. ¾ [label[u] = label[v ] ∧ leader [v ] == ∧ bullet[v ] == ∧ probe[v ] == 0] 12. act11.u.v {bullet[u] = 1; bulllet[v ] = 0;} → Interact(u, v ) 13. Init() = . 14. LeaderElection() = Init(); (||| x : N − 1@Interaction(x , (x + 1)%N )); 15. #define leaderelection (leader [0] + leader [1] + leader [2] == 1); 16. #assert LeaderElection() leaderelection; ¿¾ Figure B.2: CSP# model for leader election protocol in odd rings 1. #define N 3; 2. var leader [N ]; var label[N ]; var token[N ]; 3. Rule1(u, v ) = [!leader [u] ∧ leader [v ] ∧ label[u] == label[v ]] 4. (rule1.u.v {token[u] = 0; token[v ] = 1; label[v ] = − label[u];} 5. → Rule1(u, v )); 6. Rule2(u, v ) = [!leader [v ] ∧ label[u] = label[v ]] 7. (rule2.u.v {token[u] = 0; token[v ] = 1; label[v ] = label[u];} 8. → Rule2(u, v )); 9. Init() = . 10.TokenCirculation() = Init(); (||| x : N − 1@(Rule1(x , (x + 1)%N ) 11. ||| (Rule2(x , (x + 1)%N )); 12. #define onetoken (token[0] + token[1] + token[2] == 1); onetoken; 13. #assert TokenCirculation() ¿¾ Figure B.3: CSP# model for token circulation protocol Appendix C Operational Semantics of Abstract Real-Time System The following are abstract firing rules associated with process constructs other than those discussed in Section 9.1.2. Let e ∈ Σ and x ∈ Σ ∪ { }. V [ aki ] b [ agu ] τ (V , [b]P , D ) ֒→ (V , P , D ↑ ) ↑ (V , Skip, D ) ֒→ (V , Stop, D ) [ aev ] e (V , e{prg} → P , D ) ֒→ (prg(V ), P , D ↑ ) x (V , P , D ) ֒→ (V ′ , P ′ , D ′ ) [ aex ] x (V , P | Q , D ) ֒→ (V ′ , P ′ , D ′ ∧ ι(V , Q , D )) x (V , Q , D ) ֒→ (V ′ , Q ′ , D ) [ aex ] x (V , P | Q , D ) ֒→ (V ′ , Q ′ , D ′ ∧ ι(V , P , D )) e (V , P , D ) ֒→ (V ′ , P ′ , D ′ ), e ∈ αQ (V , P e Q , D ) ֒→ (V ′ , P ′ [ apa1 ] Q , D ′ ∧ ι(V , Q , D )) 237 Appendix C. Operational Semantics of Abstract Real-Time System e (V , Q , D ) ֒→ (V ′ , Q ′ , D ′ ), e ∈ αP (V , P e Q , D ) ֒→ (V ′ , P [ apa2 ] Q ′ , D ′ ∧ ι(V , P , D )) e e (V , P , D ) ֒→ (V , P ′ , D ′ ), (V , Q , D ) ֒→ (V , Q ′ , D ′′ ), e ∈ αP ∩ αQ (V , P e Q , D ) ֒→ (V , P ′ ′ ′ [ apa3 ] ′′ Q ,D ∧ D ) x (V , P , D ) ֒→ (V ′ , P ′ , D ′ ), x = x ′ ′ [ ase1 ] ′ (V , P ; Q , D ) ֒→ (V , P ; Q , D ∧ ( ∈ init (V , P ) ∨ D )) x (V , P , D ) ֒→ (V ′ , P ′ , D ′ ) τ (V , P ; Q , D ) ֒→ (V , Q , D ∧ D ′ ) (V , P , D ) ֒→ (V ′ , P ′ , D ′ ), Q = P x (V , Q , D ) ֒→ (V ′ , P ′ , D ′ ) 238 Appendix D PAT History PAT project started from July, 2007 in National University of Singapore. PAT was named Libra originally for its emphasis on the fairness model checking. Soon, it was renamed to PAT because of the conflict with Microsoft search engine. After finishing LTL verification under fairness assumption, we looked at the bounded model checking, which resulted a bounded model checker for CSP. However, we found that bounded model checking was difficult to apply for variables. Since we were expending the modeling languages quickly, we decided to stop the development of the bounded model checker. At the same time, the on-the-fly refinement checking algorithm was quickly implemented in PAT by following the ideas in FDR. In year 2008, we started to look for applications of the model checking algorithms developed. Our first application is to apply fairness model checking on population protocols, which gave a successful result with a bug discovered. The second application was to verify linearizability. After several attempts, we found refinement checking can be applied to it directly. In ICSE 2008, we successfully demonstrated PAT as an analysis toolkit for CSP [146]. After that we started the development of Web Service module with an architecture redesign. Starting from 2009, we looked at the real-time verification since there is very few tool support for Timed CSP. RTS module was completely finished in September 2009. We also looked reduction and 239 Appendix D. PAT History 240 optimizations for fairness model checking, for example the multi-core support and process counter abstraction. Currently, PAT version 2.7.0 is public available at our web site [1]. We keep in working on the improvements of every aspect of the system. Our aim is to develop an easy-to-user, powerful and efficient analysis toolkit for concurrent systems. PAT Users As a research tool, PAT has been used by quite a number of institutions for various purposes. Till now, there are more than 400 downloads from 93 organizations in 23 countries and regions. PAT has also been used for teaching two courses (CS4211 Advanced Software Engineering and CS5232 Formal Methods) in National University of Singapore. More than 300 students are using it as an educational tool for learning process algebra and model checking. PAT’s development involved with collaboration of Microsoft Research Asia. We worked with theory group in Microsoft Research Asia to model checking distributed algorithms with successful results. PAT has been used as a model checker for web service choreography verification at Peking University in China. Maturity and Robustness After two years’ development, PAT has come to a stable stage with solid testing. The toolkit has developed as a self-contained application with user friendly design. The editing functions are complete. The detailed debugging message will be popped up for syntax errors. A rich set of simulation and model checking options are also provided for different requirements. Currently the system contains 1213 classes with more than 110K LOC. We have conducted heavy testing to guarantee the correctness. Internally, we have a complete set of unit testing for the whole system. For the black-box testing, PAT has been used to model hundreds of systems with different properties. Currently, there are 50 built-in examples in PAT ranging from classical concurrent Appendix D. PAT History 241 algorithms, math puzzles, real world problems (e.g., pace maker), population protocols, security protocols and recently published distributed algorithms (e.g., mailbox problem). For scalability, the model checker in PAT is capable of handling tens of millions states within several hours, which is compatible to SPIN. The simulator can display up to several hundreds of states within the readability. The whole system has gone through syntax changes twice and once system redesign. The Object-Oriented design is incorporated maximally, which makes the language and properties extension easily and independently. [...]... state and is subject to model checking Furthermore, it weakly bi-simulates the concrete model and we can perform LTL model checking, refinement checking and even timed refinement checking upon the abstraction The results of this thesis are embodied in the design and implementation of a self-contained framework: Process Analysis Toolkit (PAT) , which supports composing, simulating and reasoning of concurrent. .. to model checking Section 2.2 explains how the systems should be modeled in 1 The complexity of most model checking algorithms is proportional to the state space or the product of the state space and property 13 2.1 BASICS OF MODEL CHECKING 14 model checking approaches Section 2.3 enumerates several specifications and related algorithms to verify them Section 2.4 covers the background knowledge of real- time. .. is a model of behavior composed of a number of states 1.1 MOTIVATION AND GOALS 4 model checking) of systems modeled using the integrated languages is extremely difficult During the last decade or so, a popular approach for specifying real- time systems is based on the notation Timed Automata [10, 149] Timed Automata are powerful in designing real- time models with explicit clock variables Real- time constraints... complete LTL model checking or refinement checking upon the abstraction To facilitate timed refinement checking, we formally define a timed trace semantics and a timed trace refinement relationship We extend the zone abstraction technique to preserve timed event traces; hence timed refinement checking is possible We provide the first solution for model checking Timed CSP and timed refinement checking • We... verifying systems with large number of states and complements the state-of -the- art model checkers in several aspects Key words: Formal Verification, Concurrent and Real- time Systems, Model Checking, PAT, LTL Model Checking, Fairness, Partial Order Reduction, Process Counter Abstraction, Refinement Checking, Bounded Model Checking, Timed Zone Abstraction, Timed Refinement Checking, Population Protocol, Linearizability,... machinery and robots Due to the nature of such applications, errors in real- time systems can be extremely dangerous, even fatal Guaranteeing the correctness of a complex real- time system is an important and nontrivial task There are two time semantics in the definition of real- time systems Discrete -time semantics [11] requires that all time readings are integers and all clocks increment their readings at the. .. If the result is negative, the user is often provided with a witness trace (or counterexample) The analyzing of the error trace may require modifications to the model and repeat the model checking process Each process of the model checking, namely modeling, specification and verification, will be explained in the following sections 2.2 SYSTEM MODELING 15 2.2 System Modeling First of all, we convert the. .. examined, into a formalism accepted by a model checking tool Formal modeling is a difficult and critical step Sometimes, owing to limitations on time and memory, the modeling of a design may require the use of abstraction It may not be so simple to provide the model, because on the one hand relevant or important points must be represented in the model, on the other hand unnecessary details should be eliminated... real- time model We show that the abstraction has finite state and is amenable to model checking Further, we present algorithms for LTL model checking, refinement checking and timed refinement checking upon the abstraction Chapter 10 presents PAT, a general framework to support composing, simulating and reasoning of different concurrent systems The system architecture, workflow, functionalities and details... at the same time The other choice is dense -time semantics [9], which means that time readings can be rational numbers or real numbers and all clocks increment their readings at a uniform rate We discuss the two semantics in the following paragraphs 2.4 MODEL CHECKING REAL- TIME SYSTEMS 21 2.4.1 Discrete -time Systems When time is discrete, possible clock values are nonnegative integers, and events can . state and is subject to model checking. Furthermore, it weakly bi-simulates the concrete model and we can perform LTL model checking, refinement checking and even timed refinement checking upon the. number of states and complements the state-of -the- art model checkers in several aspects. Key words: Formal Verification, Concurrent and Real-time Systems, Model Checking, PAT, LTL Model Checking, Fairness,. MODEL CHECKING CONCURRENT AND REAL-TIME SYSTEMS: THE PAT APPROACH LIU YANG (B.Sc. (Hons.), NUS) A THESIS SUBMITTED FOR THE DEGREE OF DOCTOR OF PHILOSOPHY DEPARTMENT